Network Working Group D. Piper
Request for Comments: 2407 Network Alchemy
Category: Standards Track November 1998
The Internet IP Security Domain of Interpretation for ISAKMP
Status of this Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (1998). All Rights Reserved.
IESG Note
Section 4.4.4.2 states, "All implememtations within the IPSEC DOI
MUST support ESP_DES...". Recent work in the area of cryptanalysis
suggests that DES may not be sufficiently strong for many
applications. Therefore, it is very likely that the IETF will
deprecate the use of ESP_DES as a mandatory cipher suite in the near
future. It will remain as an optional use protocol. Although the
IPsec working group and the IETF in general have not settled on an
alternative algorithm (taking into account concerns of security and
performance), implementers may want to heed the recommendations of
section 4.4.4.3 on the use of ESP_3DES.
1. Abstract
The Internet Security Association and Key Management Protocol
(ISAKMP) defines a framework for security association management and
cryptographic key establishment for the Internet. This framework
consists of defined exchanges, payloads, and processing guidelines
that occur within a given Domain of Interpretation (DOI). This
document defines the Internet IP Security DOI (IPSEC DOI), which
instantiates ISAKMP for use with IP when IP uses ISAKMP to negotiate
security associations.
For a list of changes since the previous version of the IPSEC DOI,
please see Section 7.
Piper Standards Track [Page 1]RFC 2407 IP Security Domain of Interpretation November 19982. Introduction
Within ISAKMP, a Domain of Interpretation is used to group related
protocols using ISAKMP to negotiate security associations. Security
protocols sharing a DOI choose security protocol and cryptographic
transforms from a common namespace and share key exchange protocol
identifiers. They also share a common interpretation of DOI-specific
payload data content, including the Security Association and
Identification payloads.
Overall, ISAKMP places the following requirements on a DOI
definition:
o define the naming scheme for DOI-specific protocol identifiers
o define the interpretation for the Situation field
o define the set of applicable security policies
o define the syntax for DOI-specific SA Attributes (Phase II)
o define the syntax for DOI-specific payload contents
o define additional Key Exchange types, if needed
o define additional Notification Message types, if needed
The remainder of this document details the instantiation of these
requirements for using the IP Security (IPSEC) protocols to provide
authentication, integrity, and/or confidentiality for IP packets sent
between cooperating host systems and/or firewalls.
For a description of the overall IPSEC architecture, see [ARCH],
[AH], and [ESP].
3. Terms and Definitions
The keywords MUST, MUST NOT, REQUIRED, SHALL, SHALL NOT, SHOULD,
SHOULD NOT, RECOMMENDED, MAY, and OPTIONAL, when they appear in this
document, are to be interpreted as described in [RFC 2119].
4.1 IPSEC Naming Scheme
Within ISAKMP, all DOI's must be registered with the IANA in the
"Assigned Numbers" RFC [STD-2]. The IANA Assigned Number for the
Internet IP Security DOI (IPSEC DOI) is one (1). Within the IPSEC
DOI, all well-known identifiers MUST be registered with the IANA
under the IPSEC DOI. Unless otherwise noted, all tables within this
document refer to IANA Assigned Numbers for the IPSEC DOI. See
Section 6 for further information relating to the IANA registry for
the IPSEC DOI.
All multi-octet binary values are stored in network byte order.
Piper Standards Track [Page 2]RFC 2407 IP Security Domain of Interpretation November 19984.2 IPSEC Situation Definition
Within ISAKMP, the Situation provides information that can be used by
the responder to make a policy determination about how to process the
incoming Security Association request. For the IPSEC DOI, the